diff --git a/.github/workflows/consul.yaml b/.github/workflows/consul.yaml index 14ca037d..c2da4319 100644 --- a/.github/workflows/consul.yaml +++ b/.github/workflows/consul.yaml @@ -26,7 +26,7 @@ on: required: false default: ubuntu-latest scope: - description: Consul Test Scope (pr or nightly) + description: Consul Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -57,7 +57,7 @@ on: required: false default: ubuntu-latest scope: - description: Consul Test Scope (pr or nightly) + description: Consul Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -120,8 +120,10 @@ jobs: CONFIG_FILE="./workflow-config/consul_nightly.yaml" elif [[ "$SCOPE" == "pr" ]]; then CONFIG_FILE="./workflow-config/consul.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/consul_hardening.yaml" else - echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'." + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." exit 1 fi ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" @@ -348,6 +350,17 @@ jobs: if: matrix.test.sequence == 'upgrade' run: sleep 90s + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: consul + output-file: consul-hardening-scan.json + install-kubescape: true + execute-trivy-scan: false + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Verify Consul upgrade if: matrix.test.sequence == 'upgrade' uses: ./qubership-test-pipelines/actions/shared/verify_installation diff --git a/.github/workflows/kafka.yaml b/.github/workflows/kafka.yaml index 033658b4..1ee8035c 100644 --- a/.github/workflows/kafka.yaml +++ b/.github/workflows/kafka.yaml @@ -538,7 +538,7 @@ jobs: - name: Hardening Check if: inputs.scope == 'hardening' - uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2 + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 with: namespaces: ${{ env.kfk_srvc_namespace }} output-file: kafka-service-hardening-scan.json diff --git a/.github/workflows/monitoring.yaml b/.github/workflows/monitoring.yaml index c0bce62f..f6de44b1 100644 --- a/.github/workflows/monitoring.yaml +++ b/.github/workflows/monitoring.yaml @@ -30,6 +30,11 @@ on: type: string required: false default: multi-node + scope: + description: Monitoring Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr skip_tests: description: Skip all tests (for doc-only changes) type: boolean @@ -62,6 +67,11 @@ on: type: string required: false default: multi-node + scope: + description: Monitoring Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr skip_tests: description: Skip all tests (for doc-only changes) type: boolean @@ -100,12 +110,23 @@ jobs: - name: Process versions file and matrix generation id: process-versions env: + SCOPE: ${{ inputs.scope }} LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }} SERVICE_BRANCH: ${{ inputs.service_branch }} working-directory: ${{ github.workspace }}/qubership-test-pipelines run: | chmod +x ./scripts/matrix.sh - ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/monitoring.yaml "$SERVICE_BRANCH" + if [[ "$SCOPE" == "nightly" ]]; then + CONFIG_FILE="./workflow-config/monitoring_nightly.yaml" + elif [[ "$SCOPE" == "pr" ]]; then + CONFIG_FILE="./workflow-config/monitoring.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/monitoring_hardening.yaml" + else + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." + exit 1 + fi + ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" Monitoring-Test-Cases: if: ${{ !inputs.skip_tests }} @@ -209,6 +230,17 @@ jobs: if: matrix.test.sequence == 'upgrade' run: sleep 2m + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: monitoring + output-file: monitoring-hardening-scan.json + install-kubescape: true + execute-trivy-scan: true + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Get Upgraded Monitoring CR name if: matrix.test.sequence == 'upgrade' uses: ./qubership-test-pipelines/actions/shared/get_crds diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml index 3efac9a4..0f250afd 100644 --- a/.github/workflows/opensearch.yaml +++ b/.github/workflows/opensearch.yaml @@ -25,7 +25,7 @@ on: required: false default: ubuntu-latest scope: - description: Opensearch Test Scope (pr or nightly) + description: Opensearch Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -55,7 +55,7 @@ on: required: false default: ubuntu-latest scope: - description: Opensearch Test Scope (pr or nightly) + description: Opensearch Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -117,8 +117,10 @@ jobs: CONFIG_FILE="./workflow-config/opensearch_nightly.yaml" elif [[ "$SCOPE" == "pr" ]]; then CONFIG_FILE="./workflow-config/opensearch.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/opensearch_hardening.yaml" else - echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'." + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." exit 1 fi ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" @@ -351,6 +353,17 @@ jobs: if: ${{ matrix.test.sequence == 'upgrade' }} run: sleep 1m + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: opensearch + output-file: opensearch-hardening-scan.json + install-kubescape: true + execute-trivy-scan: true + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Verify Opensearch upgrade to [${{ matrix.test.upgrade_version }}] if: ${{ matrix.test.sequence == 'upgrade' }} uses: ./qubership-test-pipelines/actions/shared/verify_installation diff --git a/.github/workflows/pgskipper.yaml b/.github/workflows/pgskipper.yaml index 1a0c342e..cdef2e89 100644 --- a/.github/workflows/pgskipper.yaml +++ b/.github/workflows/pgskipper.yaml @@ -25,6 +25,11 @@ on: type: string required: false default: ubuntu-latest + scope: + description: Pgskipper Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr service_versions_json: description: PostgreSQL image versions as JSON type: string @@ -62,6 +67,11 @@ on: type: string required: false default: ubuntu-latest + scope: + description: Pgskipper Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr service_versions_json: description: PostgreSQL image versions as JSON type: string @@ -123,12 +133,23 @@ jobs: - name: Process versions file and matrix generation id: process-versions env: + SCOPE: ${{ inputs.scope }} LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }} SERVICE_BRANCH: ${{ inputs.service_branch }} working-directory: ${{ github.workspace }}/qubership-test-pipelines run: | chmod +x ./scripts/matrix.sh - ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/pgskipper.yaml "$SERVICE_BRANCH" + if [[ "$SCOPE" == "nightly" ]]; then + CONFIG_FILE="./workflow-config/pgskipper_nightly.yaml" + elif [[ "$SCOPE" == "pr" ]]; then + CONFIG_FILE="./workflow-config/pgskipper.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/pgskipper_hardening.yaml" + else + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." + exit 1 + fi + ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" - name: Parse JSON into matrix id: parse-matrix @@ -344,6 +365,17 @@ jobs: if: matrix.test.sequence == 'upgrade' run: sleep 10s + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: pgskipper + output-file: pgskipper-hardening-scan.json + install-kubescape: true + execute-trivy-scan: false + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Verify Pgskipper Services upgrade if: matrix.test.sequence == 'upgrade' uses: ./qubership-test-pipelines/actions/shared/verify_installation diff --git a/.github/workflows/rabbitmq.yaml b/.github/workflows/rabbitmq.yaml index 9a0a4d51..8bcdad56 100644 --- a/.github/workflows/rabbitmq.yaml +++ b/.github/workflows/rabbitmq.yaml @@ -26,7 +26,7 @@ on: required: false default: ubuntu-latest scope: - description: RabbitMQ Test Scope (pr or nightly) + description: RabbitMQ Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -56,7 +56,7 @@ on: required: false default: ubuntu-latest scope: - description: RabbitMQ Test Scope (pr or nightly) + description: RabbitMQ Test Scope (pr, nightly or hardening) type: string required: false default: pr @@ -119,8 +119,10 @@ jobs: CONFIG_FILE="./workflow-config/rabbitmq_nightly.yaml" elif [[ "$SCOPE" == "pr" ]]; then CONFIG_FILE="./workflow-config/rabbitmq.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/rabbitmq_hardening.yaml" else - echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'." + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." exit 1 fi ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" @@ -308,6 +310,17 @@ jobs: if: ${{ matrix.test.sequence == 'upgrade' }} run: sleep 1m + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: rabbitmq + output-file: rabbitmq-hardening-scan.json + install-kubescape: true + execute-trivy-scan: false + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Verify RabbitMQ upgrade if: ${{ matrix.test.sequence == 'upgrade' }} uses: ./qubership-test-pipelines/actions/shared/verify_installation diff --git a/.github/workflows/zookeeper.yaml b/.github/workflows/zookeeper.yaml index cfec9fcc..b01842de 100644 --- a/.github/workflows/zookeeper.yaml +++ b/.github/workflows/zookeeper.yaml @@ -24,6 +24,11 @@ on: type: string required: false default: ubuntu-latest + scope: + description: Zookeeper Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr skip_tests: description: Skip all tests (for doc-only changes) type: boolean @@ -54,6 +59,11 @@ on: type: boolean required: false default: false + scope: + description: Zookeeper Test Scope (pr, nightly or hardening) + type: string + required: false + default: pr secrets: AWS_S3_ACCESS_KEY_ID: @@ -108,10 +118,21 @@ jobs: env: LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }} SERVICE_BRANCH: ${{ inputs.service_branch }} + SCOPE: ${{ inputs.scope }} working-directory: ${{ github.workspace }}/qubership-test-pipelines run: | chmod +x ./scripts/matrix.sh - ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/zookeeper.yaml "$SERVICE_BRANCH" + if [[ "$SCOPE" == "nightly" ]]; then + CONFIG_FILE="./workflow-config/zookeeper_nightly.yaml" + elif [[ "$SCOPE" == "pr" ]]; then + CONFIG_FILE="./workflow-config/zookeeper.yaml" + elif [[ "$SCOPE" == "hardening" ]]; then + CONFIG_FILE="./workflow-config/zookeeper_hardening.yaml" + else + echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'." + exit 1 + fi + ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH" Zookeeper-Test-Cases: if: ${{ !inputs.skip_tests }} @@ -273,6 +294,17 @@ jobs: if: matrix.test.sequence == 'upgrade' run: sleep 1m + - name: Hardening Check + if: inputs.scope == 'hardening' + uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@cabbb90e9471163cfac84bd50ff0296b2803b44c # v2.3.0 + with: + namespaces: zookeeper + output-file: zookeeper-hardening-scan.json + install-kubescape: true + execute-trivy-scan: false + fail-on-mandatory-checks: true + config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml + - name: Verify Zookeeper upgrade if: matrix.test.sequence == 'upgrade' uses: ./qubership-test-pipelines/actions/shared/verify_installation @@ -306,7 +338,7 @@ jobs: # 15-Clean [LATEST] TLS Clean-Latest-TLS: - if: ${{ !inputs.skip_tests }} + if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }} runs-on: ${{ inputs.runner_type }} name: Clean [${{ inputs.service_branch }}] TLS steps: @@ -407,7 +439,7 @@ jobs: # 16-Clean [LATEST] TLS Secrets Clean-Latest-TLS-Secrets: - if: ${{ !inputs.skip_tests }} + if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }} runs-on: ${{ inputs.runner_type }} needs: Clean-Latest-TLS name: Clean [${{ inputs.service_branch }}] TLS Secrets @@ -467,7 +499,7 @@ jobs: # 17-Upgrade [LATEST] TLS Certificates -> Clean [LATEST] TLS Certificates Clean-Latest-TLS-Certificates: - if: ${{ !inputs.skip_tests }} + if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }} runs-on: ${{ inputs.runner_type }} needs: Clean-Latest-TLS name: Clean [${{ inputs.service_branch }}] TLS Certificates @@ -529,7 +561,7 @@ jobs: final-status-check: if: ${{ always() }} runs-on: ubuntu-latest - needs: [Zookeeper-Test-Cases, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets] + needs: [Zookeeper-Test-Cases, Clean-Latest-TLS, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets] steps: - name: Checkout pipeline uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.1.0 diff --git a/templates/consul-service/consul_clean_all_on_sc_hardening.yml b/templates/consul-service/consul_clean_all_on_sc_hardening.yml new file mode 100644 index 00000000..76501b2d --- /dev/null +++ b/templates/consul-service/consul_clean_all_on_sc_hardening.yml @@ -0,0 +1,56 @@ +global: + restrictedEnvironment: true + enablePodSecurityPolicies: false + enabled: true +server: + disasterRecovery: + mode: active + region: one + httpAuth: + enabled: false + smNamespace: site-manager + smServiceAccountName: sm-auth-sa + replicas: 3 + bootstrapExpect: 3 + storage: 1Gi + storageClass: standard + resources: + limits: + memory: 300Mi + cpu: 100m +consulAclConfigurator: + enabled: true +dns: + enabled: false +monitoring: + enabled: false +ui: + enabled: true + ingress: + enabled: true + hosts: + - host: consul-consul-service.qa-kubernetes.openshift.sdntest.qubership.org + service: + enabled: true +client: + enabled: true + resources: + requests: + memory: 64Mi + cpu: 25m + limits: + memory: 256Mi + cpu: 25m +backupDaemon: + enabled: true + storage: 1Gi + storageClass: standard + backupSchedule: "*/15 * * * *" + evictionPolicy: 1h/1d,7d/delete +integrationTests: + enabled: true + tags: crud +statusProvisioner: + lifetimeAfterCompletion: 120 + integrationTestsTimeout: 600 + podReadinessTimeout: 900 diff --git a/templates/monitoring/monitoring_hardening.yml b/templates/monitoring/monitoring_hardening.yml new file mode 100644 index 00000000..1932b479 --- /dev/null +++ b/templates/monitoring/monitoring_hardening.yml @@ -0,0 +1,39 @@ +grafana: + ingress: + host: grafana-monitoring.testdomain.local + install: true +integrationTests: + install: true + tags: smoke + timeoutBeforeStart: 60 + statusWriting: + enabled: false +kubernetesMonitors: + kubeSchedulerServiceMonitor: + install: true + kubeControllerManagerServiceMonitor: + install: true +victoriametrics: + vmAuth: + ingress: + install: true + host: vmauth-monitoring.testdomain.local + vmAlert: + ingress: + install: true + host: vmalert-monitoring.testdomain.local + vmSingle: + ingress: + install: true + host: vmsingle-monitoring.testdomain.local + resources: + requests: + memory: 768Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1500m + vmAlertManager: + ingress: + install: true + host: vmagent-monitoring.testdomain.local diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml new file mode 100644 index 00000000..09ba7970 --- /dev/null +++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml @@ -0,0 +1,103 @@ +global: + cloudIntegrationEnabled: false + tls: + enabled: true + generateCerts: + enabled: true + certProvider: helm + # clusterIssuerName: dev-clusterissuer + restrictedEnvironment: true + disasterRecovery: + mode: "active" + siteManagerEnabled: false +opensearch: + tls: + enabled: false + securityConfig: + authc: + basic: + username: admin + password: Root1234# + securityContextCustom: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fixMount: + enabled: true + securityContext: + runAsUser: 0 + master: + replicas: 3 + resources: + requests: + cpu: 900m + memory: 4Gi + limits: + cpu: 2 + memory: 4Gi + javaOpts: -Xms1024m -Xmx1024m + persistence: + storageClass: standard + size: 10Gi + snapshots: + enabled: false + persistentVolume: "" + storageClass: standard + size: 2Gi + s3: + enabled: false + pathStyleAccess: true + client: + enabled: true + ingress: + enabled: true + hosts: + - opensearch-opensearch-service.qubership.com +dbaasAdapter: + enabled: true + dbaasAggregatorPhysicalDatabaseIdentifier: opensearch + opensearchRepo: snapshots + opensearchRepoRoot: /usr/share/opensearch/ + dbaasUsername: dbaas-adapter + dbaasPassword: dbaas-adapter + registrationAuthUsername: test + registrationAuthPassword: test + securityContext: + runAsUser: 1000 + fsGroup: 1000 +monitoring: + enabled: false + includeIndices: true + slowQueries: + enabled: true +dashboards: + enabled: false + ingress: + enabled: true + hosts: + - host: dashboards-opensearch-service.qubership.com + paths: + - path: / +curator: + enabled: true + backupSchedule: 0 * * * * + evictionPolicy: 0/1d,7d/delete + username: backup + password: backup + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 +integrationTests: + enabled: true + tags: smoke +secret: + idp: + username: "" + password: "" + registrationToken: "" +statusProvisioner: + lifetimeAfterCompletion: 30 + integrationTestsTimeout: 900 + podReadinessTimeout: 900 +PAAS_PLATFORM: "KUBERNETES" diff --git a/templates/pgskipper/patroni-core-hardening.yaml b/templates/pgskipper/patroni-core-hardening.yaml new file mode 100644 index 00000000..42d90a43 --- /dev/null +++ b/templates/pgskipper/patroni-core-hardening.yaml @@ -0,0 +1,31 @@ +postgresUser: postgres +postgresPassword: p@ssWOrD1 +replicatorPassword: replicator +operator: + resources: + limits: + cpu: 50m + memory: 50Mi + requests: + cpu: 50m + memory: 50Mi +patroni: + install: true + replicas: 2 + securityContext: + fsGroup: 26 + runAsUser: 26 + resources: + requests: + cpu: 125m + memory: 250Mi + limits: + cpu: 250m + memory: 500Mi + storage: + type: provisioned + size: 1Gi + storageClass: standard +tests: + install: true + runTestScenarios: basic diff --git a/templates/pgskipper/patroni-services-hardening.yaml b/templates/pgskipper/patroni-services-hardening.yaml new file mode 100644 index 00000000..225bf67b --- /dev/null +++ b/templates/pgskipper/patroni-services-hardening.yaml @@ -0,0 +1,47 @@ +postgresUser: postgres +postgresPassword: p@ssWOrD1 +operator: + resources: + limits: + cpu: 256m + memory: 256Mi + requests: + cpu: 256m + memory: 256Mi +metricCollector: + install: false + prometheusRules: + backupAlertThreshold: 5 + backupWarningThreshold: 20 + alertDelay: 3m + maxLastBackupAge: 86400 + locksThreshold: 500 + queryMaxTimeThreshold: 3600 + collectionInterval: 60 + telegrafPluginTimeout: 60 + ocExecTimeout: 10 + metricsProfile: prod + prometheusMonitoring: false + applyGrafanaDashboard: false +backupDaemon: + install: true + walArchiving: false + backupSchedule: 0 0/7 * * * + evictionPolicy: 7d/delete + securityContext: + runAsUser: 1000 + fsGroup: 1000 + resources: + limits: + cpu: 250m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + storage: + type: provisioned + size: 1Gi + storageClass: standard +tests: + install: true + runTestScenarios: basic diff --git a/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml new file mode 100644 index 00000000..213e9c34 --- /dev/null +++ b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml @@ -0,0 +1,44 @@ +global: + cloudIntegrationEnabled: false +name: rabbitmq-service +rabbitmqPrometheusMonitoring: false +rabbitmq: + fsGroup: 5000 + runAsUser: 5000 + hostpath_configuration: false + validate_state: false + clean_rabbitmq_pvs: false + auto_reboot: true + ingress: + enabled: true + host: rabbitmq.qubership.com + custom_params: + rabbitmq_vm_memory_high_watermark: 90% + rabbitmq_default_user: admin + rabbitmq_default_password: admin + resources: + requests: + cpu: 300m + memory: 300Mi + limits: + cpu: 600m + memory: 600Mi + storageclass: standard + storage: 750Mi + enabledPlugins: + - rabbitmq_prometheus + perQueueMetrics: true +backupDaemon: + enabled: true + backupSchedule: "*/15 * * * *" + evictionPolicy: 1h/1d,7d/delete + storageClass: standard + securityContext: + fsGroup: 5000 + runAsUser: 5000 +tests: + runTests: true + runTestsOnly: false + timeout: 300 + tags: smoke + waitTestResultOnJob: true diff --git a/templates/zookeeper-service/zookeeper_install_hardening.yml b/templates/zookeeper-service/zookeeper_install_hardening.yml new file mode 100644 index 00000000..67d85309 --- /dev/null +++ b/templates/zookeeper-service/zookeeper_install_hardening.yml @@ -0,0 +1,46 @@ +global: + name: zookeeper + secrets: + zooKeeper: + adminUsername: zadmin + adminPassword: zadmin + clientUsername: zclient + clientPassword: zclient + backupDaemon: + username: admin + password: admin +operator: + securityContext: + fsGroup: 1000 + runAsUser: 1000 +zooKeeper: + replicas: 3 + storage: + className: + - standard + size: 1Gi + securityContext: + fsGroup: 1000 + runAsUser: 1000 +monitoring: + install: true + securityContext: + runAsUser: 1000 + fsGroup: 1000 +backupDaemon: + install: true + backupStorage: + persistentVolumeType: standalone + storageClass: standard + volumeSize: 1Gi + securityContext: + runAsUser: 1000 + fsGroup: 1000 +integrationTests: + install: true + tags: zookeeperNOTzookeeper_backup_daemon + timeout: 600 + pvType: standalone + securityContext: + fsGroup: 1000 + runAsUser: 1000 diff --git a/workflow-config/consul_hardening.yaml b/workflow-config/consul_hardening.yaml new file mode 100644 index 00000000..e0e224d5 --- /dev/null +++ b/workflow-config/consul_hardening.yaml @@ -0,0 +1,7 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + template: templates/consul-service/consul_clean_all_on_sc_hardening.yml + sequence: install + restricted: true + artifact_name: Clean_CURRENT_Hardening diff --git a/workflow-config/monitoring_hardening.yaml b/workflow-config/monitoring_hardening.yaml new file mode 100644 index 00000000..9a4b1d26 --- /dev/null +++ b/workflow-config/monitoring_hardening.yaml @@ -0,0 +1,8 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + template: templates/monitoring/monitoring_hardening.yml + sequence: install + check_tests: true + restricted: false + artifact_name: Clean_${service_branch}_Hardening diff --git a/workflow-config/opensearch_hardening.yaml b/workflow-config/opensearch_hardening.yaml new file mode 100644 index 00000000..11585fba --- /dev/null +++ b/workflow-config/opensearch_hardening.yaml @@ -0,0 +1,9 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + template: templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml + sequence: install + restricted: true + artifact_name: Clean_CURRENT_Hardening + monitoring: false + tls: true diff --git a/workflow-config/pgskipper_hardening.yaml b/workflow-config/pgskipper_hardening.yaml new file mode 100644 index 00000000..3dee286a --- /dev/null +++ b/workflow-config/pgskipper_hardening.yaml @@ -0,0 +1,9 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + core_template: templates/pgskipper/patroni-core-hardening.yaml + services_template: templates/pgskipper/patroni-services-hardening.yaml + sequence: install + restricted: true + tls: false + artifact_name: Clean_CURRENT_Hardening diff --git a/workflow-config/rabbitmq_hardening.yaml b/workflow-config/rabbitmq_hardening.yaml new file mode 100644 index 00000000..497bae08 --- /dev/null +++ b/workflow-config/rabbitmq_hardening.yaml @@ -0,0 +1,7 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + template: templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml + sequence: install + restricted: true + artifact_name: Clean_CURRENT_Hardening diff --git a/workflow-config/zookeeper_hardening.yaml b/workflow-config/zookeeper_hardening.yaml new file mode 100644 index 00000000..1c23a59f --- /dev/null +++ b/workflow-config/zookeeper_hardening.yaml @@ -0,0 +1,8 @@ +jobs: + - name: Clean [${service_branch}] hardening + install_version: ${service_branch} + template: templates/zookeeper-service/zookeeper_install_hardening.yml + sequence: install + restricted: true + artifact_name: Clean_CURRENT_Hardening + monitoring: true